Fix: increment buffer offset when failing to copy from user-space
authorMathieu Desnoyers <mathieu.desnoyers@efficios.com>
Fri, 7 May 2021 19:03:04 +0000 (15:03 -0400)
committerMathieu Desnoyers <mathieu.desnoyers@efficios.com>
Wed, 12 May 2021 14:29:53 +0000 (10:29 -0400)
Upon failure to copy from user-space due to failing access ok check, the
ring buffer offset is not incremented, which could generate unreadable
traces because we don't account for the padding we write into the ring
buffer.

Note that this typically won't affect a common use-case of copying
strings from user-space, because unless mprotect is invoked within a
narrow race window (between user strlen and user strcpy), the strlen
will fail on access ok when calculating the space to reserve, which will
match what happens on strcpy.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Change-Id: Ic4d9487dd8870a526bae3023bb80f5e6301cec50

lib/ringbuffer/backend.h

index 855f1e017a2f5aa6936a7aa9ce521c31d9c1e1e7..d811911020d10f0b9d32e9cfaa3ce18a4ad0ae70 100644 (file)
@@ -313,6 +313,7 @@ fill_buffer:
         * the pollution of static inline code.
         */
        _lib_ring_buffer_memset(bufb, offset, 0, len, 0);
+       ctx->priv.buf_offset += len;
 }
 
 /**
@@ -395,6 +396,7 @@ fill_buffer:
        _lib_ring_buffer_memset(bufb, offset, pad, len - 1, 0);
        offset += len - 1;
        _lib_ring_buffer_memset(bufb, offset, '\0', 1, 0);
+       ctx->priv.buf_offset += len;
 }
 
 /*
This page took 0.026341 seconds and 4 git commands to generate.